... dedicated to the pursuit of making money!

 

Removing SSL Passphrase

February 04, 2007

From http://kbase.redhat.com/faq/FAQ_85_5447.shtm)

 

When Apache is configured for SSL encryption, the passphrase for the encrypted key is required each time the service is started.

 

Apache requires the passphrase to decrypt the private key at startup. This method is the most secure. However, it can be a nuisance since you are prompted for the passphrase each time the service is started (for example, each time the server is rebooted). The passphrase can be avoided if the key is decrypted.

 

Note: Encrypting the private key is very important. If a hacker obtains your unencrypted key, they can impersonate your web server from any location. Thus, if you do decide to decrypt the key to avoid the passphrase, make sure the system is secure and only allows root access to the file.

 

By default, the private key is located in the directory /etc/httpd/conf/ssl.key/. To decrypt the key, first make a backup copy of the encrypted key. For example:

 

# cd /etc/httpd/conf/ssl.key

 

# cp myserver.key myserver.key.encrypted

 

The following command will rewrite the private key without encryption. You will be prompted for the passphrase to decrypt the key:

 

# openssl rsa -in myserver.key.encrypted -out myserver.key

 

One way to secure the decrypted key is to ensure it is readable only by root:

 

# chmod 400 myserver.key

 

 

What the future has in store

You can expect this site to change fairly regularly (probably a least once per week). I will be using it mostly as a way to centrally house my ideas and as a way to test new and/or exciting projects that I happen to be working on. If you'd like to see something on this site or have any sort of feedback please feel free to contact me.